Skip to content

Commit aec2f26

Browse files
nacinnacin
committed
Prevent high resource usage when hashing large passwords. props mdawaffe, pento
git-svn-id: https://develop.svn.wordpress.org/trunk@30466 602fd350-edb4-49c9-b593-d223f7449a82
1 parent e1d16e8 commit aec2f26

2 files changed

Lines changed: 54 additions & 0 deletions

File tree

src/wp-includes/class-phpass.php

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -214,6 +214,10 @@ function gensalt_blowfish($input)
214214

215215
function HashPassword($password)
216216
{
217+
if ( strlen( $password ) > 4096 ) {
218+
return '*';
219+
}
220+
217221
$random = '';
218222

219223
if (CRYPT_BLOWFISH == 1 && !$this->portable_hashes) {
@@ -249,6 +253,10 @@ function HashPassword($password)
249253

250254
function CheckPassword($password, $stored_hash)
251255
{
256+
if ( strlen( $password ) > 4096 ) {
257+
return false;
258+
}
259+
252260
$hash = $this->crypt_private($password, $stored_hash);
253261
if ($hash[0] == '*')
254262
$hash = crypt($password, $stored_hash);

tests/phpunit/tests/auth.php

Lines changed: 46 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,7 @@
22

33
/**
44
* @group pluggable
5+
* @group auth
56
*/
67
class Tests_Auth extends WP_UnitTestCase {
78
var $user_id;
@@ -99,4 +100,49 @@ function test_wp_verify_nonce_with_empty_arg() {
99100
$this->assertFalse( wp_verify_nonce( '' ) );
100101
$this->assertFalse( wp_verify_nonce( null ) );
101102
}
103+
104+
function test_password_length_limit() {
105+
$passwords = array(
106+
str_repeat( 'a', 4095 ), // short
107+
str_repeat( 'a', 4096 ), // limit
108+
str_repeat( 'a', 4097 ), // long
109+
);
110+
111+
$user_id = $this->factory->user->create( array( 'user_login' => 'password-length-test' ) );
112+
113+
wp_set_password( $passwords[1], $user_id );
114+
$user = get_user_by( 'id', $user_id );
115+
// phpass hashed password
116+
$this->assertStringStartsWith( '$P$', $user->data->user_pass );
117+
118+
$user = wp_authenticate( 'password-length-test', $passwords[0] );
119+
// Wrong Password
120+
$this->assertInstanceOf( 'WP_Error', $user );
121+
122+
$user = wp_authenticate( 'password-length-test', $passwords[1] );
123+
$this->assertInstanceOf( 'WP_User', $user );
124+
$this->assertEquals( $user_id, $user->ID );
125+
126+
$user = wp_authenticate( 'password-length-test', $passwords[2] );
127+
// Wrong Password
128+
$this->assertInstanceOf( 'WP_Error', $user );
129+
130+
131+
wp_set_password( $passwords[2], $user_id );
132+
$user = get_user_by( 'id', $user_id );
133+
// Password broken by setting it to be too long.
134+
$this->assertEquals( '*', $user->data->user_pass );
135+
136+
$user = wp_authenticate( 'password-length-test', $passwords[0] );
137+
// Wrong Password
138+
$this->assertInstanceOf( 'WP_Error', $user );
139+
140+
$user = wp_authenticate( 'password-length-test', $passwords[1] );
141+
// Wrong Password
142+
$this->assertInstanceOf( 'WP_Error', $user );
143+
144+
$user = wp_authenticate( 'password-length-test', $passwords[2] );
145+
// Password broken by setting it to be too long.
146+
$this->assertInstanceOf( 'WP_Error', $user );
147+
}
102148
}

0 commit comments

Comments
 (0)